Security at Flourish
Your trust is at the center of what we do and why security is a top priority for us. Our products, processes and systems are designed to protect our users and data.
We have a dedicated InfoSec team that assists with customer security questions as well as ensuring the business remains ISO27001 compliant. They also coordinate third party penetration tests so the platform remains secure.
- ISO27001 certified Flourish is certified to the internationally recognized info-security standard ISO27001 by the British Standards Institute.
- Encryption We keep visualizations secure in transit and at rest. In transit, visualizations are only accessible via TLS/SSL and at rest, visualizations are encrypted with AES256.
- Staged releases We only release software after qualifying it in development and staging environments
- Data security Our people and systems can only access the data they need to do their job and we store your projects with cloud providers who have top-tier physical security controls.
- Secure development practice We peer review and test our code prior to release, including manual and automated checks for security issues.
- Hosted in Europe Our cloud service provider, Amazon Web Services (AWS), is based in Western Europe. This ensures that all customer data remains within the EEA.
Our Enterprise plan offers powerful security features including:
- Password policies Set your own password policy, eg. required combinations of character types.
- Enforce two-factor authentication Make sure everyone in your team is using 2FA.
- Approval policies Determine who, if anyone, can publish and whether they need approval.
- Session duration control Specify the expiry time for user's session cookies across your company.
- InfoSec vendor process Access to our InfoSec team and Whistic profile
- SSO Manage your users via SAML-based SSO.
Frequently asked questions
Are my visualizations private?
Unpublished projects are only ever visible to you or your colleagues unless you specifically publish them publicly. On an Enterprise account, you can also choose to publish behind a password and even restrict who, if anyone, is allowed to publish via approval workflows.
What cyber security standards have you set for your organization?
Flourish is ISO27001-certified by the British Standards Institute. This certification means that, as an organization, we have the people, processes and systems in place to effectively identify, assess, treat and monitor our information security risks. It means that we aim to have security built into every facet of our operations, and that we strive to improve our security posture through a process of continuous improvement.
Do you have a dedicated security team?
Yes. Our security team is comprised of dedicated security professionals who work across the company to ensure our product, platforms and operations are secure.
Is your platform security externally audited?
Yes. Our ISO27001 certification requires us to have annual external audits of our information security management system and security controls.
How often do you conduct security assessments?
We conduct a rolling security review with a third-party specialist, Tradecraft. At least once a year, they perform a full white-box penetration test of our platform.
We have also partnered with BugCrowd to run a public bug bounty program, providing continuous crowdsourced security testing. Please feel free to let us know of any bugs you encounter by emailing us at email@example.com.
How do you store my data?
Flourish stores your data in the cloud in an encrypted database. All our data is hosted by AWS in Dublin, Ireland and therefore remains within the EU.
Our systems are only accessible by people and services who need it, using the principle of least privilege. The Flourish database is encrypted using AES256 which means that your data is unreadable by someone with access to our AWS environment.
What laws do you comply with when it comes to data privacy?
Flourish are registered with the ICO in the UK and are bound by the UK Data Protection Act (2018), which is the UK implementation of the EU GDPR.